After almost 10 million current and former Optus customers have been affected by the recent data breach, there is talk of a potential class action being launched against Optus, either for negligence or breach of privacy.

This may have you wondering – what obligations do businesses have to protect their customers’ privacy?

Privacy Act

The Privacy Act 1988 is federal legislation that governs how personal information should be collected, used, stored and disclosed in Australia.

If a business’ annual turnover is more than $3 million it has to comply with the Privacy Act. If a business has an annual turnover of $3 million or less, it is classified as a small business. Only some small business are covered by the Privacy Act, including but not limited to those that ‘trade in personal information’, are health service providers or credit reporting agencies, etc.

The Office of the Australian Information Commissioner has a helpful checklist for small businesses to help them work out if they are covered by the Privacy Act. It is important to know if your business is covered by the Privacy Act because it if is, it means your business has some obligations in relation to protecting the privacy of its customers.

Privacy principles

At the end of the Privacy Act is a schedule of 13 Australian Privacy Principles that all businesses covered by the Privacy Act must comply with. For a description of the 13 Privacy Principles, you can read our previous article: Commercial Law – Are you keeping your clients safe?

One key thing to know is that if your business is covered by the Privacy Act, you must have a privacy policy that complies with the requirements of the Privacy Act. At Lynn & Brown Lawyers, we have a team of lawyers who can review your current privacy policy and/or prepare a new privacy policy for you.

As detailed in our previous article, there are some other obligations on businesses in relation to their customer’s personal information including but not limited to:

  • notifying a person when their personal information has been collected;
  • only using a person’s personal information for the purpose specified;
  • not using a person’s personal information for direct marketing;
  • allowing a person access to their personal information; and
  • updating a person’s personal information if it is out of date or inaccurate.

Destroying personal information

One of the issues that has arisen in the Optus breach is that it appears that Optus may have been holding personal information of customers that they no longer needed to hold.

Some of the Privacy Principles require businesses to destroy personal information in certain circumstances. For example, Privacy Principle #4 says that if a business receives unsolicited personal information about a person, they must either destroy or de-identify the information.

Likewise, Privacy Principle #11 says that if a business holds personal information that it no longer needs for any purpose that is allowed under the Privacy Principles, it must destroy or de-identify the information.

Data breach reporting obligations

After Optus found out about their data breach, they notified relevant agencies and individuals of the breach. This was because of a scheme called the Notifiable Data Breach Scheme that requires businesses to notify the Office of the Australian Information Commissioner and affected individuals if:

  • there is unauthorised access to personal information; or
  • there is unauthorised disclosure of personal information; or
  • personal information is lost,


  • the above event(s) is likely to result in serious harm to one or more individuals; AND
  • the business has not been able to prevent the likely risk of serious harm with remedial action.

If you run a business and want to better understand your obligations under the Privacy Act, don’t hesitate to get in contact with Lynn & Brown Lawyers for expert legal assistance.

About the authors: This article has been co-authored by Chelsea McNeill and Steven Brown. Chelsea is a lawyer that graduated from Murdoch University. Steven is a Perth lawyer and director, and has over 20 years’ experience in legal practice and practices in commercial law, dispute resolution and estate planning.

Meet Our , Authors


This field is for validation purposes and should be left unchanged.

Fact Sheets

Related Articles

Few people, both young and old, know how important an Enduring Power of Attorney (EPA) is.  Of those people who do understand the importance of...

Read Blog

You and your partner are about to move in together. Perhaps one of you has more assets or liabilities than the other. You both agree...

Read Blog

The current extensive news coverage of family violence in Australia and the Government’s emergency meeting of the National Cabinet on 1 May 2024 to discuss...

Read Blog